Skip to main content

Dynamic keypairs

When you create a dynamic keypair, you define the parameters for generating your keys. When the keypair is used for signing, it will be automatically deleted and replaced with a new keypair and certificate every 15 minutes, maintaining the same parameters. This process ensures that each signature is unique and enhances security. However, when the keypair is not used for signing, it will remain unchanged.

Create a dynamic keypair

You require the Generate keypair permission to create a keypair.

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Keypairs > Create keypair.

  4. Complete the following fields:

    Field

    Description

    Keypair type

    Select Dynamic to ensure that your keypair changes every time you complete a signature.

    Keypair alias

    Name to uniquely identify this keypair.

    Team

    This field displays when teams are enabled.

    Select a team that should have access to this keypair.

    Keypair profile

    Select a keypair profile.

    참고

    If you have selected a team. you will only see keypair profiles allocated to that team.

    Algorithm

    Select one of the following algorithms:

    • RSA

      Rivest–Shamir–Adleman (RSA) is a widely-used and compatible with various systems and protocols. RSA is a trusted choice for applications requiring broad compatibility and established security practices.

    • ECDSA

      Elliptic Curve Digital Signature Algorithm (ECDSA) is suitable for resource-constrained environments like mobile devices and IoT devices. ECDSA provides strong security with shorter key lengths compared to traditional RSA.

    • EdDSA

      Edwards-curve Digital Signature Algorithm (EdDSA) offers strong resistance against various cryptographic attacks while maintaining efficiency. EdDSA is recommended for applications where security is paramount, such as digital signatures and secure communications.

      참고

      When you select EdDSA the key curve sets to Ed25519.

    • MLDSA (Quantum-safe)

      Module-Lattice-Based Digital Signatures Algorithm (MLDSA) is a quantum-safe approach to cryptographic security. It relies on the difficulty of solving lattice-based problems, which makes it resistant to attacks from quantum computers.

    • SLHDSA (Quantum-safe)

      Secure Lightweight Hash-based Digital Signature Algorithm (SLHDSA) is a quantum-safe approach to cryptographic security. It is designed to offer robust protection with minimal computational overhead. It leverages lightweight hash-based techniques to ensure security while optimizing performance, making it ideal for resource-constrained environments.

    Key size

    This field only displays when a RSA algorithm is selected.

    For RSA, select one of the following key sizes:

    • 2048

      A 2048-bit key size is one of the most commonly used key sizes in asymmetric cryptography, particularly in RSA encryption.

    • 3072

      A 3072-bit key size provides higher cryptographic strength compared to 2048-bit keys.

    • 4096

      A 4096-bit key size offers the highest level of cryptographic security among the RSA options.

    Key curve

    This field only displays when a ECDSA algorithm is selected.

    For EdDSA, the key curve defaults to Ed25519.

    For ECDSA, select one of the following key curves:

    • P-192

      NIST P-192, also known as secp192r1 refers to an elliptic curve defined over a 192-bit prime field.

    • P-256

      NIST P-256, also known as secp256r1 is an elliptic curve defined over a 256-bit prime field. This curve has a higher security level that P-192 due to its longer key length.

    • P-384

      NIST P-384, also known as secp384r1 is an elliptic curve defined over a 384-bit prime field. This curve offers a significantly higher level of security compared to P-256, as it utilizes a longer key length and larger computational parameters.

    Security level

    This fields only displays when a Quantum-safe algorithm is selected.

    For MLDSA, select one of the following security levels:

    • MLDSA-44

      Represents a cryptographic strength equivalent of at least 128-bit symmetric encryption. This level of security is considered sufficient for many applications requiring strong security, such as protecting sensitive data and communications.

    • MLDSA-65

      Represents a higher cryptographic strength equivalent to at least 192-bit symmetric encryption. Offers increased security margin compared to Security Level 44, making it suitable for applications demanding elevated security requirements.

    • MLDSA-87

      Represents an even higher level of cryptographic strength of at least 256-bit symmetric encryption, surpassing the previous two levels. Equivalent to an even greater bit length in symmetric encryption, further increasing the complexity for potential attackers. Offers the highest level of security among the mentioned levels, suitable for extremely sensitive applications requiring maximum protection against advanced cryptographic attacks.

    For SLHDSA, select one of the following security levels:

    • SHA2-128s

      Provides a cryptographic strength equivalent to 128-bit symmetric encryption, offering strong protection for general applications.

    • SHAKE-128s

      Offers an equivalent strength of 128-bit symmetric encryption, using SHAKE for flexible security parameters.

    • SHA2-128f

      Similar to SHA2-128s but optimized for faster performance.

    • SHAKE-128f

      Fast variant of SHAKE-128, balancing performance and security.

    • SHA2-192s

      Provides 192-bit symmetric encryption strength, suitable for applications demanding higher security.

    • SHAKE-192s

      Flexible security with 192-bit strength using SHAKE for adjustable output lengths.

    • SHA2-192f

      Fast variant of SHA2-192s, offering higher security with optimized performance.

    • SHAKE-192f

      Fast variant of SHAKE-192, optimized for performance in demanding applications.

    • SHA2-256s

      Offers 256-bit symmetric encryption strength, suitable for highly sensitive applications.

    • SHAKE-256s

      Uses SHAKE for flexible cryptographic output at a 256-bit strength.

    • SHA2-256f

      A faster version of SHA2-256s, providing maximum security with optimized performance.

    • SHAKE-256f

      Fast variant of SHAKE-256, ideal for highly sensitive environments requiring both strong security and high efficiency.

    Keypair category

    Select a keypair type:

    • Production

      Used to sign software released to the public or production environments.

    • Test

      Used to sign software in development or test phases, using short-lived, private certificates.

      참고

      Test keypairs expire after a maximum of 30 days.

    Keypair storage

    Select one of the following key storage methods:

    • SoftHSM

    • HSM

    • Disk

      참고

      MLDSA algorithms can only be stored on Disk.

    Keypair storage provide the following security levels:

    • Level 3

      Key is stored in an HSM that is CA/B compliant. This storage method is FIPS 140-2 Level 2, Common Criteria EAL4+, an equivalent or higher, and therefore is compatible with publicly or privately trusted certificates.

    • Level 2

      Key is stored in an HSM with a certification is lower than level 3. This storage is only compatible for privately trusted certificates.

    • Level 1

      Key is stored in an uncertified but secure softHSM. This storage is only compatible for privately trusted certificates.

    참고

    To use use DPoD HSM storage, DPoD must be set up in CA Manager and enabled for your account.

    Keypair status

    Select Online to generate a keypair that can be used to sign at any time.

    Select Offline to generate a keypair that can only be used to sign during a release window.

    Access

    Select Open to allow any user within your account access to the keypair.

    Select Restricted to limit access to the keypair to specified users, user group, or team.

    Allowed users

    For Restricted keypairs, you can specify which users can use the keypair.

    Allowed user groups

    For Restricted keypairs, you can specify one or more groups that are authorized to use the keypair.

    Generate certificate

    When this box is checked, the keypair will be generated with a corresponding default certificate for the keypair.

    Keypair validity

    Select Match keypair and certificate expiry dates to set the keypair's expiry date to the same date that your default certificate for the keypair expires.

    참고

    The keypair will expire at midnight (UTC) of the same day your certificate expires.

    Select Select an expiry date to set a specific expiry date for your keypair. The keypair will expire at the end of the day you selected, precisely at midnight (UTC).

    Select Never expire to keep your keypair active until you manually add an expiry date.

  5. Select Create keypair.

Refresh dynamic key

You can refresh a dynamic key from Software Trust Manager or SMCTL.

Dynamic keys in Audit logs

To search for recently refreshed dynamic keypairs:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Logs > Audit logs.

  4. Identify the Type column and filter by Dynamic.

  5. Identify the Action column and filter by Refresh.

Dynamic keys in signature logs

To search for signatures completed with the dynamic key:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Logs > Signature logs.

  4. Identify the Keypair alias column and filter by the keypair alias.

    or

    Identify the Keypair ID column and filter by the specific dynamic keypair ID.

이 섹션의 내용: